Let's do Letsencrypt for ERPNext now

This article is a continuation of https://cloud.erpgulf.com/blog/blogs/erpnext-version-14-install-in-production-mode-nginx-supervirso-gunicorn

    sudo service nginx stop

1. sudo apt install certbot -y
2. sudo apt install certbot python3-certbot-nginx
3. sudo certbot certonly -a nginx -d yoursite.example.com   (  You may get "unknown log format "main" at this stage. Please read the footnote to resolve this )

You will get message like this

Congratulations! Your certificate and chain have been saved at:

 /etc/letsencrypt/live/example.com/fullchain.pem

Now you have certificate here in this folder /etc/letsencrypt/live/

Edit nginx configuration file. In our case /etc/nginx/conf.d/frappe-bench.conf

Goto the server section, change port 80 to 443 ( or whatever port you want )

Below added/edited lines are in GREEN letters below that violet line

server {

    listen 443 ssl;

    server_name

        yoursite.example.com

        ;

    root /opt/bench/frappe-bench/sites;

    ssl_certificate   /etc/letsencrypt/live/yoursite.example.com/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/yoursite.example.com/privkey.pem;

    ssl_session_timeout 5m;

    ssl_session_cache shared:SSL:10m;

    ssl_session_tickets off;

    ssl_stapling on;

    ssl_stapling_verify on;

    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;

    ssl_ecdh_curve secp384r1;

    ssl_prefer_server_ciphers on;

    add_header X-Frame-Options "SAMEORIGIN";

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    add_header X-Content-Type-Options nosniff;

    add_header X-XSS-Protection "1; mode=block";

Restart nginx

service nginx restart

Now you have an https site.

You can see here the full file for nginx/frappe https://github.com/ERPGulf/docs/blob/main/frappe-bench.conf

Also you need forwarders to forward from http to https and/or cut www part. It is here. put it on conf.d folder https://github.com/ERPGulf/docs/blob/main/redirect.conf

Next part is making sure letsencrypt get renewed every three months.

crontab -e

add this line

15 3 * * * /usr/bin/certbot -a nginx renew --quiet

vim /etc/letsencrypt/cli.ini

add this line deploy-hook = systemctl reload nginx

You can use this command to make sure

1. sudo systemctl status certbot.timer

It should report " Started Run certbot twice daily "

Try a dry-run for renewal. You should get a "Congratulations" message.

1. sudo certbot -a nginx renew --dry-run 

Happy hosting.

Let us know your feedback

Add another site on the same ERPNext server https://cloud.erpgulf.com/blog/linux-and-cloud/adding-antoher-site-on-ubuntu-22-erpnext-14

------------------------------

Note 1: *

If you face problem with nginx because of log type error ( log type main not found or something like that )

sudo vim /etc/nginx/nginx.conf and add following on http section.

log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';

-----------------------